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[57] ABSTRACT 

A method of enabling a Web server to impersonate a Web 
client to thereby obtain access to files stored in a distributed 
file system of a distributed computing environment. The 
distributed computing environment includes a security ser- 
vice for returning a credential to a user authenticated to 
access the distributed file system. In response to receipt of 
a transaction request from the Web chent, a determination is 
made whether the transaction request has originated from a 
user authenticated to access the distributed file system. If so, 
the Web server is controlled to reuse the credential of the 
user across multiple file accesses in the distributed file 
system on behalf of the Web cUent. 

18 Claims, 3 Drawing Sheets 
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METHOD AND APPARATUS FOR ENABLING security features of DFS (or other similar distributed file 

A WEB SERVER TO IMPERSONATE A USER systems). As a by-product, users with an off-the-shelf 

OF A DISTRIBUTED FILE SYSTEM TO browser would be able to easily access the Web information 

OBTAIN SECURE ACCESS TO SUPPORTED stored in the DFS namespace with no additional software on 

WEB DOCUMENTS 5 the client machine. 

TECHNICAL FIELD ^^^^^ SUMMARY OF THE INVENTION 

™ . , , 11 . L . It is thus a primary obiect of the invention to extend the 

The present mvention relates generally to Web transaction t * • i * c / ^ \ 7 ^ • .i. 

. , .-11^ LT * u runctionality or a standalone Web server in the enterprise 

processmg and more particularly to en ablmg access to Web , ,i j ^ ^ j » -i. . j ci * 

^ f . J ■ J- . u * J . setting to take advantage of distnbuted file system capabih- 

documents stored m a secure distnbuted file system. . ^ * / r 

lies. 

BACKGROUND OF THE INVENTION ^ another object of the invention to enable a client 

browser to access Web documents stored in a distributed file 

The World Wide Web of the Internet is the most success- system without changes to the browser software, 

ful distributed application in the history ofcomputing. In the 15 another object to enable a Web server to 

Web environment, cHent machines effect transactions to efficiendy and rapidly switch the "identity^' it presents to a 

Web servers use the Hypertext Transfer Protocol (HTTP), distributed file system. This enables the Web server to 

which is a known application protocol providing users transparently ^'borrow" the credentials of a user that has 

access to files (e.g., text, graphics, images, sound, video, ^^^^ authenticated to access the distributed file system, 

etc.) using a standard page description language known as 20 . u- » . n wt. «? *u u 

H ertext Marku Lan ua e n^TML"^ HTML rovides another object to allow users with off-the-shelf 

, . , ? . browsers to access Web documents stored in a distributed 

basic document rormattme and allows the developer to . i u i -.u • i i ■ 

, , T , X fil& system global namespace with a smgle login, 

specify nnks to other servers and files. In the Internet * i • i • . • • 

paradigm, a network path to a server is identified by a Another miportant ol?]gct of the invention is to provide a_ 

so-caUed Uniform Resource Locator (URL) having a special 25 server application fimction (SAF) nluggii fo a Web server 

syntax for defining a network connection. Use of an HTML- th^^en^TeTtEe^^ maintain 

compatible browser (e.g., Netscape Navigator) at a client ajSecurity co ntext m the WorldWide Web environment, 

machine involves specification of a fink via the URL. In A more general object of the invention is to enable any 

response, the client makes a request to the server identified gateway function (e.g., a Web server) to rapidly "modulate^' 

in the fink and receives in return a document formatted 30 between identities presented to an environment whose 

according to HTML resources are accessed through the gateway. Preferably, the 

™ . . . J 1 , invention is implemented as a server appficafion function 

The Web server is usually a standalone file server that /oat-\ i • f ai? l . .i_ -.l 

„, , , •' ^ ^ ^ ^, ■ (SAF) plug-in to a Web server program together with a 

services various Web document requests. Because the server v./r& ■ 

is self-coniained, web site administration is cumbersome '"'^"^ser proce^. In cq)eraUon, the session nianager 

. ' 1 * u ■ J - J 1- J p u 35 process is mvoked by the Web server when a user attempts 

because access control must be mdividualized for each f i-^r^o^i xr l i j l : j 

^^^.^ to access a DFS file. If a user has already been authenticated 

by a DCE Security Service associated with DFS, the session 

Moreover, private and public enterpnses are now setUng ^^^^^^^^ returns the user credential to the Web server, and 

up so-called "Intranets^' within their organizaUons to allow 3^^^, ^^^3 credential to retrieve DFS documents on 

employees and customers to access data on their own ^ behalf of the user. If the user has not been authenticated, the 

corporate Web sites. Such organizations use multiple com- ^^^^^ manager performs a login sequence for the user and 

puters mterconnected into a distnbuted computing environ- obtains the credential from the DCE Security Service, 

ment m which users access d^tributed resources and process ^^^^^^ maintains an in-memory database to 

applications. A known distnbuted computing environnaent, ^ ^^^^^ ^^-^^ ^ ^ ^^^^^ 

caUed DCE, has been miplementcd using software ava^ transactions may be carried out with a single login. In 

from the Open Systems Foundation (OSF). As DCE envi- ^ticular, this database stores a user "credential," which 

ronments become the enteqjnse solution of choice, many i^es the user id, password, a credential file name, and 

applications may be utilized to provide d^tributed seivices authentication identifier known as a Process Authenfica- 

^^^^ ^ l''?''^^ ^'"''u^ 'Taf^^ ''''^ database access. ^ (p^^^ ^ ^^^^-^^^ 

OSF DCE includes a teributed file system, called Distrib- u^^^^^,. between DFS and the DCE Security Service. In 

uted File Services (DFS), for use m these environments. ^^E, an authenticated user thus has a credential that 

DFS provides many advantages over a standalone file includes a PAG. On subsequent arrivals of the same user id 

server, such as higher availabiUty of data and resources, the and password at the Web server, the DCE Security Service 

abiUty to share information throughout a very large-scale ^v^ould normally make a call into the DFS kernel to obtain a 

system, and protection of information by the robust DCE 55 new PAG, which would then be stamped into the Web server 

security mechanism. In particular, DFS makes files highly process. According to the present invention, however, the 

available through replication, making it possible to access a pAG in the original credential is maintained (i.e. is not 

copy of a file if one of the machines where the file is located modulated) from one Web transacdon to another transaction, 

goes down. DFS also brings together all of the files stored in other words, PAGs are reused by the Web server (until a 

in various file systems in a global namespace. RemovcPAG caU is made), thereby avoiding network traffic 

Multiple servers can export their file system to this between the DCE Security Service and DFS that would 

namespace. All DFS users, in the meantime, share this significantly increase the file access time, 

namespace, making all DFS files readily available from any The foregoing has outlined some of the more pertinent 

DFS client machine. objects and features of the present invention. These objects 

It would be highly desirable to extend the functionality of 65 should be construed to be merely illustrative of some of the 

existing standalone Web servers in the enterprise environ- more prominent features and applications of the invention, 

ment to take advantage of the scalability, file availabUity and Many other beneficial results can be attained by applying the 
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disclosed invention in a different manner or modifying the No. SA23-2644-00. AIX OS is described in AIX Operating 

invention as will, be described. Accordingly, other objects System Technical Reference, published by IBM Corporation, 

and a fuller understanding of the invention may be had by First Edition (November 1985), and other pubUcations. 

referring to the following Detailed Description of the Pre- WhQe the above platform is useful, any other suitable 

f erred Embodiment- 5 hardware/operating system/web server combinations may be 

used. 

BRIEF DESCRIPTION OF THE DRAWINGS The Web Server accepts a client request and returns a 

response. The operation of the server 18 is governed by a 

For a more complete understanding of the present mven- Q^^^ber of server application functions (SAFs), each of 

tion and the advantages thereof, reference should be made to ^s^hich is configured to execute in a certain step of a 

the following Detailed Description taken in connection with sequence. This sequence, illustrated in FIG. 2, begins with 

the accompanying drawings in which: authorization translation (AuthTrans) 30, during which the 

FIG. 1 is a representative system in which the server server translates any authorization information sent by the 

application function (SAF) plug-in and session manager of client into a user and a group. If necessary, the AuthTrans 

the present invention are implemented; step may decode a message to get the actual chent request. 

xTTr^ 'y „ ^ ^ i wj^u « At stcp 32, Called name translation (NameTrans), the URL 

FIG. 2 IS a flowchart or a conventional Web transaction • . j . u i u 

1 . J u u • * - * f associated with the request may be kept mtact or it can be 

implemented by a Web server m response to receipt of a ^^^^^^^^^^ ^ system-dependent file name, a redirection 

request from a client machine; ^j^^ or a mirror site URL. At step 34, called path checks 

FIG. 3 is a process flow diagram illustrating a Web (PathCheck), the server performs various tests on the result- 
transaction implemented according to the teachings of the 20 ing path to ensure that the given client may retrieve the 
present invention; and document. At step 36, sometimes referred to as object types 

FIG. 4 is a detailed flowchart showing the process flow of (ObjectType), MIME type information (e.g., text/html, 

the server plug-in of the invention for providing DCE/DFS image/gif, etc.) for the given document is identified. At step 

authentication and importing DCE/DFS credentials into a ^8, called Service (Service), the Web server routine selects 

w^h cArx7^r ^rriz-pcc- 25 internal server function to send the result back to the 

wcD server proccoo, . ^ . . . 

^ . „ , . ^ . , . chent via a normal server- service routine. Ine particular 

HG. 5 IS a flowchart illustraUng the session manager logm ^^^^^^ ^^^^^^^ depends on the nature of the request. At 

request routine of FIG. 4; and ^^^p ^ ^^^^^^ Log (AddLog), information about the 

FIG. 6 is a flowchart iUuslrating a routine for removing transaction is recorded. At step 42, called Error, the server 

DCE/DFS credentials from a Web server process according responds to the client when it encounters an error. Further 

to the invention. details of these operations may be found in the Netscape 

Web Server Programmer's Guide, Chapter 5, which is 
incorporated herein by reference. 

A representative system in which the present invention is Thus, the Web server 18 includes a known set of server 

implemented is illustrated in FIG. 1. A cUent machine 10 is 35 application tunctioris (SAFs) 28. T hese function s take the 

connected to a Web server platform 12 via a communication cjient^s^Teqilgst arid other configuration data oi: ttie servef as 

channel 14. For iUustrative purposes, channel 14 is the i nput and return a response to me server as output. R eferring 

Internet, an Intranet or other known connection. In the case back to FIG. 1 , th e Web server 18 also includes an'Apg U- 

of the Internet, Web server platform 12 is one of a plurality c ation Pr og^ra in ming I nterface^ ( API) 26 that prov ides exten - 

) enable application dcvelopi 



of servers which are accessible by cUents, one of which is 40 sioin^ t o^enal)le application developers to exicna and /or 

illustrated by machine 10. A client machine includes a cns^nmiTeThe core nin ctionality thereof (namely, the SAF s) 

browser 16, which is a known software tool used to access through s oftware programs commonly reterred to as "p^fi.- 

the servers of the network. Representative browsers include, in&J' Thd present invention makes use of the se rver APr26 

among others, Netscape Navigator (aU versions), Microsoft {provide t or a plu g- m SAF 25 that , t ogether witn" a sessi on 

Internet Explorer (all versions) or flic like, each of which are 45 manapt^r prj^rss V7 Taa litates special forms of authori za- 

"off-the-shclf or downloadable software programs. The tion translation (AuthTran) and path checldng j^^Paig CEeck) 

Web server platform (sometimes referred to as a "Web" site) tfTcnahle W^H arrj--^^ «n rl^y^iTT| f,nts on a distributed fi le 

supports files in the form of hypertext documents and system 50 . 

objects. In the Internet paradigm, a network path to a server ' Ip particular. according to a general object of the prese nt 

is identified by a so-called Uniform Resource Locator 50 inve ntion, it is desired to enable ±e user of the chen t 

(URL). The World Wide Web is the Internet's multimedia nrachine lU (intentionally or unknowingly) to use th e 

information retrieval system. In particular, it is a collection ( preferably) ott-tiie-sheLt browser 16 to access, br o wse ar^ri 

of servers of the Internet that use the Hypertext Transfer r etrieve d ocuments loca ted in the distri buted fil e s ystern 50. 

Protocol (HTTP), which provides users access to files using l ^^thp p^^^rrfd fiiiihndimrnt^^ t ^e plug- in SAF 25 an d 

Hypertext Markup Language (HTML). 55 s ession manager process 27 provide a h ov el mechanism to 

A representative Web Server platform 12 comprises an "a chieve this object. One jugb file system 50 is Distribu ted 

IBM RISC System/6000 computer 18 (a reduced instruction File Serv^ices fPFS). which is a known distribu te file 

set of so-called RISC-based workstation) miining the AIX s^tem implemented in a networked environment called t he 

(Advanced Interactive Executive Version 4.1 and above) Distributed Computing Environment (DCE). D CE has been 

Operating System 20 and a Web server program 22, such as 60 implemented using software available from the Open Sys- 

Netscape Enterprise Server Version 2.0, that supports inter- tems Foundation (OSF). In a distributed computing 

face extensions. The platform 12 also includes a graphical environment, a group of machines is typically referred to as 

user interface (GUI) 24 for management and administration. a "domain." An OSF DCE domain is called a "ceU." A DCE 

The various models of the RISC-based computers are cell may be a complex environment involving hundreds of 

described in many publications of the IBM Corporation, for 65 machines in many locations. 

example, /?/5C5>'5re/M/6000, 7013 and 1016 POWERstation DCE DPS 50 provides data sharing services by making 

and POWERserver Hardware Technical Reference, Order use of remote procedure calls (RPC's) for naming, and a 
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DCE Security Service 52 for authentication services. DFS Manager maintains the in-memory database 29 to keep track 

50 interfaces to the DCE Security Service 52 via the session of which user has logged in so that a user may access 

manager process 27, as will be described below. In addition multiple DFS pages. 

to its use of DCE Services, DFS itself is rich in features. It A detailed flowchart showing the operation provided by 

provides a uniform global filespace which allows all DFS 5 the Server Application Function (SAP) plug-in 25 and the 

client users to see the same view of the filespace, and it session manager process 27 of the present invention is now 

caches filesystem data at the client for improved scalability illustrated in FIGS. 4-5. In general, it should be appreciated 

and performance by reducing network trafBc to file servers. that the invention enables the Web server process 22 to 

DFS also supports advisory file locking, and one of its impersonate a DCE identity. The method begins when a 

features in the ability to export the operating system's native jq DCE principal name (actually the account name) first shows 

filesystem. For example, in the case of the AIX Operating up at the Web server platform 12, In particular, at step 60, the 

System, the native filesystem is the Journaled File System routine passes the account name and password to the session 

(JFS). In addition, DFS also provides its own physical manager for login request processing. FIG. 5 illustrates the 

filesystem, the DCE Local File System (LFS). The DCE LFS process in detail. At step 61, a test is made to determine 

provides supports for DCE Access Control Lists (ACL's) on whether the account name and password are already in the 

files and directories for securing access to data and advanced ^^o? manager database 29. If the outcome of the test at 

data management capabilities such as replication and load ^'^P ^} ^ Positive, the user has already been authenticated 

balancins subroutme continues at step 64 to return the user's 

en 11 J V u u J credentials to the calling process. If the outcome of the lest 

DFS 50 uses so-called DCE Kerberos-based au bentica- negative, however, the subroutine continues 

tion.Aunix credential is associated with each file opera- 20 v/ith step 62. This causes the session manager 27 to perform 

tion and holds the local authentication information for that ^ full dce_login to the DCE Security Service 52. The 

operation. In particular, a credential is a data structure session manager preferably mns as the same effective Unix 

defining a particular machine (or a user on a multi-user id as the Web server processes. A test is then made at step 

machine). From the local operating system's point-of-view, 63 to determine if the login sequence was successful. If not, 

the credential includes a user id, a group id, optionally a list 25 the subroutine returns an error to the requesting process at 

of operating system privileges, and an authentication iden- step 65. If the outcome of the test at step 63 is positive, the 

tifier known as a PAG (Process Authentication Group). The resulting user id, password, credential file name, and ticket 

PAG acts as a tag for associating "tidcets" between DFS 50 expiration time are saved for reuse in the session manager 

and the DCE Security Server 52. When DFS users authen- database 29. This is step 66. This credential information is 

ticate via the DCE Login facility, known as dce_login, the 30 then returned to the session manager at step 64, and the 

DCE Security Service interacts with DFS (across the subroutine returns. This completes step 60 in FIG. 4. 

network) through a setpag( ) interface to establish the Referring now back to FIG. 4, on subsequent arrivals to 

PAG/ticket relationship in the process's credential. On file- the Web server 18 of the same user id and password, a test 

system requests, DFS extracts the PAG from the credential ^ performed by the session manager process at step 68 to 

structure to establish the DCE user's authentication for RPC 35 determine if the database 29 includes a match for the key (in 

requests to the DFS fileserver. the simplest case, for example only, the combination of the 

The control flow associated with the invention is illus- user id and password). If the outcome of the test at step 68 

trated in the process flow diagram of FIG. 3. This figures is negative, an error message (e.g., "401 Unauthorized'') is 

illustrates the basic system of FIG. 1, with the inclusion of returned to the client at step 70. If the outcome of the test at 

an account manager 56 having an associated database 58. 40 step 68 is positive (indicating that an unexpired match to the 

Session manager 27 starts up upon initialization of the Web key has been found), the routine continues at step 72 to 

server and is preferably run by the workstation computer 18. extract the credential file name from the session manager 

It includes its own storage area 29 for reasons to be database entry. An environment variable KRB5CCNAME is 

discussed below. When the cUent 10 (through the browser then set with that credential file name at step 74. At step 76, 

16) requests a DFS document (step a), the Web server 18 45 the PAG is extracted from the credential file name. At step 

invokes a server path check (using the SAF plug-in 25)(step 78, a system call, referred to dfsInstallPAG, is made to DFS 

b). The PathCheck checks with the session manager 27 to 50, and this call is made in lieu of certain security context 

determine whether the user has appropriate DCE credentials. processing that would take place in DCE. In particular, when 

If not (step c), the SAF plug-in 25 will return an error a DCE login is in progress and the user has reached the point 

message (e.g., "401; Unauthorized") to the browser 16 (step 50 where DCE believes the user to be whom he or she purports 

d) and prompt the user for user id and password. After to be, the DCE credentials are saved in a file owned by the 

getting the userid and password from the user (step e), the current effective UID but otherwise unreadable. The dce_ 

SAF plug-in invokes the session manager 27 (step f) to login process then makes this DCE security context the 

obtain the DCE credential for the user. Session manager 27 default one for this process using a sec Login_rset__context( 

returns the DCE credential to the Web server (step g). The ss ) call (to set the default context). The sec_login_rset_ 

server then uses this user credential to represent the user to context( ) function calls into DFS in the kernel, asking it to 

retrieve documents stored in DFS 50 (step h). After retriev- obtain a new Process Authentication Group (PAG) and to 

ing the documents, the accoimt manager 56 is invoked (step insert it into the kernel environment for the current process, 

i) (preferably using another API plug-in) to save appropriate In the conventional operation, DFS stamps this new PAG 

usage information into the database 58 (step j). 50 value into the credential structure of the current process, and 

The session manager 27 is thus invoked by the Web then returns this value to the calling program (dce_login). 

Server when a user attempts to access a DFS file. If a user DCE security takes the value, converts it to a printable 

has already been authenticated by DCE, the Session Man- entity, and then creates a link to the credentials file by this 

ager 27 returns the user credential to the server, which uses name. For example, if the value that DFS returns is 

this credential to retrieve DFS documents on behalf of the 65 0x417D5432, then the credential file has two names, one 

user. If not, the Session Manager 27 will login for the user assigned by DCE security, and the other computed from the 

and obtain the credential from DCE Security. The Session PAG being dcecred_417D5432. 
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According to the preseal invention, significant processing 
optimization is achieved (after the initial user login) by 
avoiding the requirement of either performing a full dce_ 
login, or importing a security context from a file and 
installing a new PAG in the credential, when the userid and 
password are later received at the Web server. In contrast to 
the prior art, system call dfsInstallPAG does not create a new 
PAG but simply accepts the one that is passed from the 
session manager (and which was obtained as a resuU of the 
original login authentication). Thus, together with the saving 
of the user credential in the session manager (which obviates 
multiple logins), the present invention contemplates reuse of 
the PAG (or other such similar authentication identifier) 
across multiple Web transactions. 

Returning now back to FIG, 4, the remainder of the Web 
transaction processing is now described. At step 80, DFS 
determines whether the credential file is readable by the Web 
server using a kemel level call. If the outcome of the test at 
step 80 is negative, the routine branches back to step 70 and 
returns an error message. If the outcome of the test at step 
80 is positive, however, the routine continues. At step 82, 
DFS stamps the PAG into the control block (e.g., the 
u-block) of the currently-running process of the Web server. 
At this point, both user-space DCE and kernel-space DFS 
are content that the Web server is running on behalf of the 
user whose credentials have been "borrowed." Stated 
differently, the Web server is now impersonating the user 
from the kernel-level view as well as from the user-space 
view because the DCE/DFS credentials are imported into the 
process. This completes the processing of the server plug -in 
of the invention. The Web transaction itself continues at step 
84, which corresponds (for example) to steps 36 and 38 of 
FIG. 2. 

In the preferred embodiment, it is desirable to remove the 
DCE identity from the Web server so that random Web 
processes are not always running with the DCE credentials 
of the last DCE user handled by this process. This is 
accomplished by the routine of FIG. 6. This routine begins 
at step 84 by testing whether or not the logging SAP (e.g., 
step 40 in FIG. 2) has been carried out (in other words, that 
the user has been provided with the requested document). If 
the outcome of the test at step 84 is positive, the 
KRB5CCNAME environment variable is reset to a default 
or null value at step 85. The routine then performs a DFS 
system call, named dfsRemovePAG, at step 86. In the 
illustrative embodiment, dfsRemovePAG removes the DCE 
identity by stamping an invalid PAG into the Web server. At 
step 87, with the DCE/DFS credentials now removed from 
the process, the routine returns control to the server, and the 
routine terminates. 

Thus, according to one preferred embodiment of the 
present invention, a certain environment variable, 
KRB5CCNAME in the current DCE implementations, con- 
tains the name of a file that has all the information necessary 
for the Web server to impersonate the user whose credentials 
the file contains. This file is owned by the current effective 
Unix user ID, and readable only by processes running as that 
user (or root). From the perspective of the user-space 
security context, it is assumed that this is proper behavior 
(i.e. that any process owned by the effective Unix ID can 
become the DCE user). 

The kernel space representation of DCE security can have 
no such dependencies on environment variables, or pointers 
to data structures in user-space, but must instead rely on 
linkages set up in kernel data structures that cannot be 
compromised by user programs. DFS thus looks to the PAG 
in the credential and, according to the invention as noted 
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above, the PAG is not modulated across Web transactions. 
This avoids the network traffic and secure remote procedure 
calls between DFS and the DCE Security Service (that 
would otherwise be required to set the security context and) 

5 that would significantly slow down the file access. 

One of the preferred implementations of the plug-in and 
session manager of the invention is as a set of instructions 
(program code) in a code module resident in the random 
access memory of the computer. Until reqmred by the 
computer, the set of instructions may be stored in another 
computer memory, for example, in a hard disk drive, or in 
a removable memory such as an optical disk (for eventual 
use in a CD ROM) or floppy disk (for eventual use in a 
floppy disk drive), or downloaded via a computer network. 
In addition, although the various methods described are 
conveniently implemented in a general purpose computer 
selectively activated or reconfigured by software, one of 
ordinary skill in the art would also recognize that such 
methods may be carried out in hardware, in firmware, or in 

2Q more specialized apparatiis constructed to perform the 
required method steps. 

Further, although the invention has been described in 
terms of a preferred embodiment in a specific distributed file 
system environment, those skilled in the art will recognize 

25 that the invention can be practiced, with modification, in 
other and different hardware and operating system architec- 
tures with the spirit and scope of the appended claims. Thus, 
for example, while the present invention is preferably imple- 
mented to allow off-the-shelf browsers to access Web docu- 

30 ments stored in DFS, the principles of the invention are 
equally applicable with other known architectures such as 
AFS (from which DFS was derived), as well as the Network 
File System (NFS) developed by Sun Microsystems. 
Moreover, implementation in OSF DCE is not a requirement 

35 of the present invention either 

Further, it should be appreciated that the browser, Web 
server and distributed file system architecture in which the 
present invention is implemented can be generalized as well. 
In particular, the Web server may be thought of as merely a 

40 "gateway" function to provide one or more users (the Web 
clients in the context of the invention) access to resources in 
some "environment*' (e.g., the distributed file system) that 
may or may not be on a different machine. Thus, the present 
invention can be seen to provide an efficient way for any 

45 gateway function to rapidly modulate between the identities 
that it presents to the user (from the view of the user- space) 
and to the environment (from the view of the environment 
kernel). According to the invention, it is envisioned that a 
user login credential be saved in the session manager for 

50 reuse across gateway transactions and that the gateway 
impersonate the user using this credential to obtain a service 
from the environment. The performance enhancements pro- 
vided by the invention (through re-use of authentication 
information across multiple transactions) would apply as 

55 well. 

Having thus described our invention, what we claim as 
new and desire to secure by Letters Patent is set forth in the 
following claims: 
1. A method operative during a stateless Web transaction 
60 for enabling a Web server to impersonate a Web client to 
obtain access to files stored in a distributed file system of a 
statcful distributed computing environment, the distributed 
computing environment including a security service for 
returning a credential to a user authenticated to access the 
65 distributed file system, the method comprising the steps of: 
responsive to receipt of a Web transaction request from 
the Web ctient, determining whether the transaction 
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request has originated from a user authenticated to 
access the distributed file system; 
if the transaction request has originated from a user 
authenticated to access the distributed file system, 
having the Web server reuse an authentication identifier 
of the credential of said user to retrieve a file stored in 
the distributed file system on behalf of the Web client; 
and 

upon logging of the Web transaction, temporarily inhib- 
iting the Web server from tising the authentication 
identifier until a next Web transaction by the user. 

2. The method as described in claim 1 wherein if the 
transaction request has not originated from a user authenti- 
cated to access the distributed file system, a login sequence 
for the Web client is initiated to attempt to authenticate the 
Web cUent. 

3. The method as described in claim 1 wherein authenti- 
cation identifier is used across multiple file accesses in the 
distributed file system. 

4. The method as described in claim 3 wherein the 
authentication identifier is a Process Authentication Group 
(PAG) that is stamped by the distributed file system into a 
control block of the Web server. 

5. The method as described in claim 1 further including 
the step of maintaining a store of the credentials of users 
authenticated to access the distributed file system . 

6. The method as described in claim 1 wherein the Web 
client includes a browser and is connected to the Web server 
via the World Wide Web of the Internet. 

7. A method operative during a stateless Web transaction 
for enabling a Web server to impersonate a Web client to 
obtain access to Web documents stored in a distributed file 
system of a stateful distributed computing environment, the 
distributed computing environment including a security ser- 
vice for returning a credential to a user authenticated to 
access the distributed file system, comprising the steps of: 

maintaining a storage of the credentials of the users 
authenticated to access the distributed file system; 

responsive to receipt of a user id and password from the 
Web client during a Web transaction, determining 
whether the user id and password map into one of the 
credentials maintained in the storage; 

if the user id and password map into one of the credentials 
maintained in the storage, having the Web server reuse 
authentication information in the credential associated 
with the user id and password to retrieve a file in the 
distributed file system on behalf of the Web client; and 

upon logging of the Web transaction, temporarily inhib- 
iting the Web server from using the authentication 
information until a next Web transaction by the user. 

8. The method as described in claim 7 wherein if the 
userid and password do not map into a credential maintained 
in the storage, a login sequence for the Web client is initiated 
to attempt to authenticate the Web client. 

9. The method as described in claim 7 wherein the storage 
of credentials is maintained by a session manager process. 

10. A computer program product in a computer readable 
medium for use in a computer during a stateless Web 
transaction to enable a Web server to impersonate a Web 
client and obtain access to Web documents stored in a 
distributed file system of a stateful distributed computing 
environment, the distributed computing environment includ- 
ing a security service for returning a credential to a user 
authenticated to access the distributed file system, the com- 
puter program product comprising: 

means for maintaining a storage of the credentials of the 
users authenticated to access the distributed file system; 
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means responsive to receipt of a user id and password 
from the Web client during a Web transaction, for 
determining whether the user id and password map into 
one of the credentials maintained in the storage; 
5 means responsive to the determining means for control- 
hng the Web server to reuse authentication information 
in the credential associated with the user id and pass- 
word to retrieve a file in the distributed file system on 
behalf of the Web cfient; and 

means responsive to logging of the Web transaction for 
temporarily inhibiting the Web server from using the 
authentication information until a next Web transaction 
by the user. 

11. The computer program product as described in claim 
10 further including means responsive to the determining 
means for initiating a login sequence if the user id and 
password do not map to a credential maintained in the 
storage. 

12. The computer program product as described in claim 
10 wherein the determining means and the controlling 
means are supported as a Server Application Function (SAP) 
plug- in to an Application Programming Interface of the Web 
Server. 

13. A computer connectable to a stateful distributed 
^ computing environment having a distributed file system 

service and a security service for returning a credential to a 
user authenticated to access the distributed file system, the 
computer comprising: 

a processor; 

an operating system; 

a Web server program for providing Web information 
retrieval to Web clients connectable to the Web server 
program via a stateless computer network; 

35 a session manager program for maintaining a storage of 
the credentials of the users previously authenticated to 
access the distributed file system; and 
a server plug-in program responsive to receipt of a user id 
and password from the Web client during a Web 

^ transaction (a) for determining whether the user id and 
password map into one of the credentials maintained in 
the storage, (b) for controlling the Web server to reuse 
authentication information in the credential associated 
with the user id and password to retrieve a file in the 
distributed file system on behalf of the Web client; and 
(c) for inhibiting the Web server from using the authen- 
tication information after the Web transaction is com- 
plete and until a next Web transaction is initiated to the 
distributed file system from a user having the user id 
and password. 

14. A method operative during a stateless transaction for 
enabling a process to impersonate a user, the process con- 
nectable to a stateful environment having a security service 
for returning a credential to a user authenticated to access a 
service in the environment, comprising the steps of: 

responsive to receipt of an account name, logging in the 
account name to the security service to produce a user 
id, password, ticket and ticket expiration; 
gQ storing the user id, password, ticket and ticket expiration 
for reuse; 

during a stateless transaction and responsive to receipt of 
a \iser id and password, checking to determine if the 
ticket has expired; 
65 if the ticket has not expired, installing an authorization 
into the process to enable the process to obtain the 
service from the environment on behalf of the user; and 
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removing the authorization upon completion of the state- 
less transaction. 

15. The method as described in claim 14 wherein the 
process is a gateway function that provides the user access 

to the stateful environment. 5 

16. The method as described in claim 15 wherein the 
gateway function is a Web server, the user is a cUent 
browser, and the stateful environment is a distributed file 
system service. 

17. The method as described m claim 16 wherein the lO 
distributed file system service is DFS. 

18. A method operative during a stateless Web transaction 
for enabling a Web server process to impersonate a Web 
client without change to the browser code used by the Web 
client, the Web server connect able to a stateful distributed 15 
computing environment having a distributed file system 
service and a security service for returning a credential to a 
user authenticated to access the distributed file system 
service, comprising the steps of; 
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responsive to receipt of an account name, logging in the 
account name to the security service to produce a user 
id, password, ticket and ticket expiration; 

storing the user id, password, ticket and ticket expiration 
for reuse; 

responsive to receipt of a user id and password during a 
Web transaction, checking to determine if the ticket has 
expired; 

if the ticket has not expired, installing an authorization 
into the Web server to enable the process to retrieve a 
file from the distributed file system on behalf of the 
Web client; and 

upon logging of the Web transaction, removing the autho- 
rization from the Web server. 
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